RFR: 8255552: Add DES/3DES/MD5 to jdk.security.legacyAlgorithms [v4]
Sean Mullan
mullan at openjdk.java.net
Fri Apr 29 19:21:44 UTC 2022
On Fri, 29 Apr 2022 17:06:28 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> Please review these changes to add DES/3DES/MD5 to `jdk.security.legacyAlgorithms` security property, and to add the legacy algorithm constraint checking to `keytool` commands that are associated with secret key entries stored in the keystore. These `keytool` commands are -genseckey, -importpass, -list, and -importkeystore. As a result, `keytool` will be able to generate warnings when it detects that the secret key based algorithms and PBE based Mac and cipher algorithms are weak. Also removes the "This algorithm will be disabled in a future update.” from the existing warnings for the asymmetric keys/certificates.
>> Will also file a CSR.
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>
> Removed RC2 changes
src/java.base/share/conf/security/java.security line 644:
> 642: #
> 643: # In some environments, a certain algorithm or key length may be undesirable
> 644: # but is not yet disabled.
I would also remove the words "but is not yet disabled." An algorithm may be disabled at different times for different components, such as TLS or Kerberos, so it isn't always a yes or no answer. Also, if a disabled algorithm is re-enabled (by modifying the security properties), we still want `keytool` or `jarsigner` to show warnings.
-------------
PR: https://git.openjdk.java.net/jdk/pull/8300
More information about the security-dev
mailing list